Increasing data availability

ABSTRACT

Systems, methods, and related technologies for increasing data availability. The determining of one or more recommendations to improve classification may include accessing network traffic from a network and selecting an entity. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. The entity may be classified and in response to the classification meeting a condition, one or more properties that are unavailable in the network traffic may be determined. A data source associated with the one or more properties for which a value is not present in the network traffic may be determined and the data source associated with the one or more properties that are unavailable in the network traffic may be stored.

TECHNICAL FIELD

Aspects and implementations of the present disclosure relate to networkmonitoring, and more specifically, classification of entities of anetwork.

BACKGROUND

As technology advances, the number and variety of devices that areconnected to communications networks are rapidly increasing. Each devicemay have its own respective vulnerabilities which may leave the networkopen to compromise or other risks. Preventing the spreading of aninfection of a device or an attack through a network can be importantfor securing a communication network.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects and implementations of the present disclosure will be understoodmore fully from the detailed description given below and from theaccompanying drawings of various aspects and implementations of thedisclosure, which, however, should not be taken to limit the disclosureto the specific aspects or implementations, but are for explanation andunderstanding only.

FIG. 1 depicts an illustrative communication network in accordance withone implementation of the present disclosure.

FIG. 2 depicts an illustrative network topology in accordance with oneimplementation of the present disclosure.

FIG. 3 depicts a flow diagram of aspects of a method for determining adata source to enhance classification in accordance with oneimplementation of the present disclosure.

FIG. 4 depicts a diagram of aspects of an example command line interfaceincluding data quality in accordance with one implementation of thepresent disclosure.

FIG. 5 depicts a diagram of aspects of an example command line interfaceincluding data quality statistics in accordance with one implementationof the present disclosure.

FIG. 6 depicts a diagram of aspects of an example command line interfaceincluding statistics of data sources in accordance with oneimplementation of the present disclosure.

FIG. 7 depicts illustrative components of a system for determining adata source to enhance classification in accordance with oneimplementation of the present disclosure.

FIG. 8 is a block diagram illustrating an example computer system, inaccordance with one implementation of the present disclosure.

DETAILED DESCRIPTION

Aspects and implementations of the present disclosure are directed toclassification (but may be applicable in other areas). The systems andmethods disclosed can be employed with respect to network security,among other fields. More particularly, it can be appreciated thatdevices with vulnerabilities are a significant and growing problem. Atthe same time, the proliferation of network-connected devices (e.g.,internet of things (IoT) devices such as televisions, security cameras,wearable devices, medical devices, etc.) can make it difficult toeffectively ensure that network security is maintained. Classificationis particularly important for securing a network because lack ofknowledge about what a device is can prevent application of appropriatesecurity measures.

Accordingly, described herein in various implementations are systems,methods, techniques, and related technologies, which enable moregranular classification by determining and identifying data sources forproperties that are unavailable in network traffic. The identificationof one or more data sources that are unavailable in network trafficthereby enabling changes (e.g., in network configuration, policychanges, etc.) to make the data available for classification. Theincrease in data available for classification thereby enables increasesin visibility into the devices communicatively coupled to one or morenetworks.

Many different properties may be relied on to arrive at a classificationof an entity or device. The accuracy and granularity of visibility canbe correlated with the availability of the specific property values andthe specific profile library version. There are various situations,which may be due to lack of administrator or user knowledge,misconfiguration of one or more network monitoring devices, orcharacteristics of a network environment, that may result in manyproperties for classification not being observable, resolvable, oravailable thereby limiting classification and visibility. The result canbe that a device is misclassified or a device not classified in a verygranular or detailed manner. For example, this can be caused by certainproperties not being available, e.g., active scanning properties,dynamic host configuration protocol (DHCP) properties, media accesscontrol (MAC) addresses, hypertext transfer protocol (HTTP) agent, etc.These can be caused by lack of access to network infrastructure, e.g., aswitch, router, firewall, etc., (e.g., via a SPAN port), and therebylack of access to the address resolution protocol (ARP) table of thenetwork infrastructure which prevents access to the one or more MACaddresses of the ARP table. The lack of MAC address information canprevent the organizational unique identifier (OUI) vendor or NIC vendorfrom being available for classification. As another example, if switchedport analyzer (SPAN) or port mirroring traffic is not available or onlya single direction of SPAN traffic is accessible, then HTTP traffic andDHCP traffic may not be available. If a SPAN port or similar port ismisconfigured, unidirectional traffic may be available which limits thetraffic and data (e.g., HTTP agent, DHCP traffic, etc.) available forclassification. Such issues can result in a poor user experience andmany devices being classified as unknown or unclassified. Embodimentsare able to identify data this is unavailable and make recommendationsto make data more available for classification.

As classification is based on the properties available, having lessproperties available means that few or no classification profiles maymatch the available properties. This can mean that a device may beclassified as unknown or only at a very high level (with lowgranularity), e.g., an IT device or OT device. The lack of a detailedclassification limits information available to a user which can help theuser to provide better security, control, etc.

Embodiments can identify situations where insufficient or incompletedata is available for classification due to misconfiguration of anetwork monitoring device, network configuration, other settings, etc.By identifying these situations, embodiments can provide information toan administrator or user to fix configuration issues thereby enablingbetter or improved classification. The increase in availability ofinformation from fixing one or more configuration or settings issuesmeans that more information or data, including properties, are availablefor classification and thereby more profiles can be matched. Thisenables better visibility into the entities of a network and allowsissues with classification to be resolved with reduced to no outsideassistance.

Improvements in classification in any environment may be proportional tothe quality of the data available for classification. An extensiveclassification profile library is of limited effectiveness if propertiesare not available to match with the classification profile library.Embodiments are able to identify unavailable data and determinerecommendations to increase the data available for classification.

The identification of insufficient data being available forclassification can further include one or more checks of one or moreconfigurations or usage based on information available. For example, thechecks may include checking whether DHCP traffic is available for asegment, whether a profile library version is too old (e.g., older thana threshold or estimated to be old, for instance, beyond a threshold forregular releases or one or more months), whether manual classificationactions have been used (e.g., by a user), whether data sharing isenabled (e.g., with a cloud resource), whether active scan data isavailable (e.g., due to active scanning not being enabled, due to SPANport or port mirroring misconfiguration, firewall configurations (forinstance local firewall and network firewalls), etc.), whetherunidirectional traffic is being observed (e.g., due to a SPAN port orother port outputting unidirectional traffic, for instance due tomisconfiguration), whether digital image and communications in medicine(DICOM) traffic is on a non-standard port, whether there areclassification errors (e.g., misclassification, an entity beingclassified as multiple classification results, unknown or indeterminatedevice or entity classification, etc.). As another example, DHCP trafficor DHCP properties might be unavailable due to a network configuration(e.g., SPAN port not sending DHCP traffic), port customization, etc.

General checks may also be performed, including those for how manyunknown classifications, multiple classifications, how many entities seetypes of traffic (e.g., network monitoring entities, for instance,network monitoring devices 102 and 280-282, that see DHCP traffic), howmany entities are subject to active scanning, vertical, environment,etc. The information gathered from these checks can be shared with theuser.

The checks can be based on the environment, vertical, deployment,segment type, and areas of the network that have been selected (e.g., bya user for checking or improving classification of a network portion).For example, in a healthcare environment, one or more checks forcommunications or protocols specific to a health care environment, e.g.,DICOM, may be performed. As another example, in an industrial oroperational technology environment, checks for communications usingprotocols specific to an industrial environment, e.g., DNP3, Modbus,Profibus, may be performed. Checks based on a local deployment can bebased on the checks being performed locally by a single networkmonitoring entity (e.g., network monitor device 102 or 280-282). Checksbased on a deployment with multiple managed network monitoring entities(e.g., network monitor device 102 or 280-282) are managed by a networkmonitor manager entity (e.g., network monitor manager 286). The networkmonitor manager entity can orchestrate or coordinate the checks,recommendations determinations, etc., as described herein, among themultiple managed network monitoring entities. The output from eachmanaged network monitoring entity can be combined by the network monitormanager.

The unclassified entities with unavailable data may be can be dividedinto the buckets or groups including: DHCP properties missing, sessionproperties missing, HTTP properties missing, common active propertiesmissing, SPAN or port mirroring traffic missing, OT properties missing(e.g., when an OT plugin or module is present). Absence of SPAN trafficor traffic blind spots (e.g., where traffic where traffic is unavailableor traffic is visible in only one direction, for instance,unidirectional traffic) can lead to a network monitoring entity notbeing able to resolve important traffic related properties important forclassification.

Checks may be performed for traffic or communications on a non-standardor custom port. For example, if a MAC address (e.g., the OUI portion) isassociated with a healthcare device manufacturer and there is traffic ona non-standard port, embodiments may prompt a user for the type oftraffic (e.g., DICOM) or what protocol is being used with thenon-standard port.

In some embodiments, a selection (e.g., by a user) of a network portion(e.g., segment), device types, etc., can be checked for configuration orclassification issues, as described herein, based on a user identifyingthat classification is not satisfactory (e.g., below a threshold).

In various embodiments, the checks can be performed periodically, ondemand, or policy triggered. The actions taken or changes made after therecommendations are presented or displayed can be used to determinefeedback on the effectiveness of the checks, recommendations, or acombination thereof. For example, what changes result in theclassification or significant changes or improvements in classificationof which entities can be determined or tracked.

In some embodiments, a policy can be created to systematically manageunclassified entities and help a user (e.g., administrator) in analyzingreasons why some entities are unclassified, have multipleclassifications, or have low granularity classifications. Aclassification process may be performed before the policy is run orexecuted.

The policy allows performing checks for the presence of importantclassification related data including properties thereby enablingdetermination of possible misconfigurations and common data qualityissues leading to the unclassified entities or low granularityclassification of one or more entities. In some embodiments,unclassified entities may be divided among buckets or groups for VPNuser entities, entities with MAC address issues, and entities withimportant missing properties (e.g., DHCP properties, HTTP properties,active properties, OT properties, etc.).

In some embodiments, the host information for each entity or endpoint isanalyzed to determine which properties are missing or unavailable. Basedon the properties that are unavailable, suggestions or recommendationscan be made to the user on how to improve classification. For example,if DHCP traffic is not present in the traffic, for instance due to a VPNconfiguration or a firewall configuration, then a suggestion could bemade to change the VPN configuration or the firewall configuration. Insome instances, VPN usage may result in local traffic not beingavailable or visible. Traffic to a VPN concentrator or other entity withVPN functionality may be unavailable and in order for the traffic to beavailable, the entity with the VPN functionality needs to be configuredto make the traffic available (e.g., for analysis for classification).Credentials may be prompted or used for the entity with the VPNfunctionality may be used to login and reconfigure the entity with theVPN functionality. In various instances, there may be a proxy involvedwith one or more VPN entities and changing the configuration of theproxy may be performed to allow the VPN traffic to the proxy to beavailable (e.g., for analysis for classification, etc.).

In some embodiments, MAC address information may be available onceauthentication to an entity with VPN functionality. The MAC address maybe used (e.g., with other data, e.g., IP address, etc.) to create anidentifier. The identifier can be used to indicate or notify a user thatauthentication information being unavailable can be an issue if anentity has not been classified.

Other classification issues can be based on use of an out of dateclassification or profile library or manual classifications not beingshared such as with a repository (e.g., a cloud based resource), whichfor instance can improve the profile library based on crowd sourcing ofsome classifications. For example, an old or out of data classificationor profile library may include one or more fingerprints or profiles forwhich updates have been released which would result in moreclassifications and less unknown classifications than using the oldlibrary. An older profile library therefore will be more likely toresult in a classification of a device as unknown as compared to a newprofile library. Embodiments are able to notify a user that a profilelibrary is or likely is out of date (e.g., one or more updates of theprofile library have been released).

In other cases, plugin misconfiguration (e.g., a plugin being stopped ormisconfigured) can lead to unresolved properties (e.g., DHCP). In somecases, host (e.g., local software firewalls) or network firewalls canblock active scans by a network monitoring device leading to Nmap andopen port properties being unavailable. A misconfiguration of thepassive classification functionality can lead to active properties beingunavailable as well. For example, this may occur where a user (e.g.,administrator) incorrectly or mistaken adds a network portion to passiveclassification group (e.g., an IP address range, segment, etc.), then anetwork monitoring entity may be unable (or is configured to not performactive scanning on that network portion) to determine active propertiesfor the entities of the network portion. This can result in limited orreduce classification. Embodiments can check for plugin or modulemisconfigurations as described herein.

In some embodiments, the identifying of sufficient data available forclassification can include gathering information from a user. Thisinformation can include a vertical (e.g., healthcare, OT, etc.), typesof entities commonly encountered in the environment, entity types orsegments for which classification is having an issue (e.g., below aconfidence threshold), etc. In some embodiments, the vertical, commontypes of entities on a network, may be determined based onclassifications of one or more entities on a network (e.g., a networkwith one or more MRI machines, X-ray machines, etc., can be determinedto be a healthcare vertical or environment). In various embodiments, avertical determined based on one or more entities of the network may beconfirmed with a user (e.g., using a notification, displaying a promptfor confirmation, etc.). In some embodiments, the types of entitiescommonly encountered in the environment may be determined and confirmedwith a user. In various embodiments, a determination of a classificationand confirmation of the classification with a user may be done based onclassification being below a threshold (e.g., a confidence threshold) ora number of unknown devices being above a quantity threshold, etc.

Certain protocols can run on certain well-known ports or be configuredto run on custom ports. For example, a user may configure DICOM devicesto use a custom port. Embodiments may prompt or notify a user to enterport information for a protocol that is being used on a custom ornonstandard port as part of the checks. Based on the custom portinformation, embodiments may then monitor communications over the portbased the associated protocol, which can be used for classification,etc. In some embodiments, a user may be prompted or notified if trafficis accessed that is associated with a port that does not have a protocolassociated with the port or where more than one protocol may use theport. Embodiments can support a user inputting information so thatcommunication associated with a custom port can be used forclassification.

Manual classification of a device may be available to allow a user tomanually classify a device. Embodiments may check or access dataassociated with use of the manual classification and in response to auser not having used a manual classification function, may notify (e.g.,display a message, send a notification, etc.) a user of the manualclassification function to encourage the user to manually classify anyunknown device or any device not classified with enough granularity(e.g., below a threshold, for instance a confidence threshold).Embodiments are able to upload information associated with the manualclassification to a repository (e.g., cloud-based repository) therebyallowing improvement of the profile library (e.g., by updating theprofile library based on the information associated with the manualclassification).

In some embodiments, in the case of multiple classifications, one ormore missing properties may be determined, if any, and a user may beprompted to perform a manual classification. In various embodiments, inthe case of an unknown classification, one or more missing propertiesmay be determined, if any, and a user may be prompted to perform amanual classification.

The traffic to and from a port can be treated as a client sessionproperty and can be accessed as part of the one or more checks. Thetraffic to and from a port can be used to match against a profile orfingerprint to classify an entity or device. For example, if a vendor isknown to make IP cameras that uses TCP port 554 then traffic on TCP port554 combined with the vendor based on the MAC address (e.g., from an ARPtable on a switch) may be used to classify an entity as an IP cameramade by the vendor.

Embodiments can include classification troubleshooting features whichprovide recommendations to enable more data to be available forclassification. The recommendations may be based on checking dataavailable that is being used for classification. If the results of thechecks indicate that data quality is not good, or some configuration hasbeen set in a way that is not ideal. A user can be presented with (e.g.,via a graphical user interface, command line interface, etc.) the one ormore recommendations, e.g., changes in configuration to increase theproperties available for classification.

In some embodiments, the recommendations may include data qualitymetrics which are numerical indicators of the data quality obtained froman environment (e.g., via network traffic, via information directly fromthe one or more entities of the network, for instance using activescanning, etc.) and serve as feedback to the user for improvingclassification and visibility of entities in the environment.

The recommendations can be based on various checks. An initialclassification of an environment or network may be performed and thenone or more checks can be determined to determine data that isunavailable, as described herein. The checks can include whether thelatest or most recent version of a data source plugin or module isinstalled. For example, whether a version of an OT environment plugin iscurrent may be checked for an OT environment. Scripts that areinstalled, being used, or a combination thereof can be checked. Thechecks can also include checking if data is being uploaded to a cloudresource. For example, the data being uploaded can include how segmenteda network is and if there are any suspicious traffic flows. The checksmay further include checking if an entity that functions as a sensor(e.g., analyzing local traffic on an OT network) is configured correctly(e.g., OT properties are available for each entity on one or morenetworks).

VPN user entities can be unknown entities which are communicativelycoupled through VPN to a network. Entities communicatively couplingthrough VPN commonly suffer low classification rates due toconfiguration and integration issues. For example, many VPN systems maynot make the MAC address of an entity available. In other cases, the MACaddress seen is the address of the VPN gateway and not the entity itselfthereby making classification difficult. Firewall rules may also notpermit active scans to upstream VPN devices. Embodiments can determineone or more recommendations based on if a VPN system supports providingMAC addresses. If so, an open or flexible plugin or module can be used,configured, or developed to communicate with the VPN system. If not, ifthe entities on the VPN are managed via remote inspection or an agent,then recommendations may include enabling remote inspection or an agenton the entities communicatively coupled via the VPN. This can enableembodiments to obtain the MAC addresses via remote inspect or an agent.The one or more recommendations may further include recommendations tofix firewall issues to allow scanning (e.g., active scanning) of the VPNentities (e.g., VPN infrastructure, entities communicatively coupled viaVPN, etc.).

In some embodiments, an order of recommendations may be determined,e.g., based on the effectiveness of each recommendation. For example, ifa recommendation to change a configuration so that MAC address data isavailable may result in a 60% improvement in classification, while achange to make DHCP data available may result in a 30% improvement inclassification. The recommendations regarding the MAC address data maybe put in order ahead of the recommendations associated with DHCPtraffic. The order of the recommendations may be changed as morefeedback is received or collected (e.g., of the effectiveness of eachrecommendation).

In some embodiments, the profile library may be checked to determine ifit is older than a threshold (e.g., three months) and a recommendationto download a new or updated profile library may be made. In someembodiments, the recommendation to download a new or updated profilelibrary may be based on updates to the profile library being availableeach month. In various embodiments, statistics may be presented of thenumber of new profiles (e.g., 100 profiles added) that are now inavailable in the profile library, a number of conflicts have beenresolved, or a combination thereof.

In some embodiments, the change to the firewall configuration could besuggested and performed by embodiments (e.g., based on logging into thefirewall and changing the configuration of the firewall). For example,if MAC addresses are unavailable in the network traffic, from a switch,from a VPN entity, or to a network monitoring entity (e.g., networkmonitor device 102), may have not been correctly configured to have MACaddresses available. Embodiments may recommend one or more changes toone or more network devices, a VPN device, or embodiments to enable theMAC addresses to be available.

Based on the identification of insufficient data being available forclassification, one or more recommendations and data quality metrics canbe determined, based on the one or more checks for one or moreconfigurations or usage based on information. The one or morerecommendations can be presented or displayed to a user or sent to theuser as a notification, as described herein. The recommendations caninclude directions to perform one or more configuration changes, updatesto software, updates to one or more profile libraries, network relatedchanges, etc. The one or more recommendations can be displayed or sentto a user with instructions (e.g., text) describing how to fix or changenetwork configuration or other settings to resolve the issue ofinformation or data involving properties being unavailable forclassification.

For example, if information or properties associated with activescanning are unavailable, a user may be directed to a portion of agraphical user interface to enable active scanning. It is appreciatedthat certain environments (e.g., healthcare, OT, manufacturing, etc.)may be sensitive to active scanning and as such active scanning may belimited or not be an option. The recommendations may be based on anenvironment or a vertical associated with one or more networks (e.g.,based on feedback of classification improvement in other similarenvironment or vertical networks). For example, recommendations from ahealthcare network may include ways to change a configuration for aDICOM device, where as a recommendation for an OT environment mayinclude a way to change a configuration to make SPAN port or portmirroring traffic data available. The recommendations may further bebased on the size of a vertical or environment, the types of devices onor more networks, or a combination thereof. The recommendations may bebased on the different verticals having different general networkorganizations or segments, or different deployment practices (e.g., asingle or local network monitor entity, for instance network monitordevices 102 or 280-282, or multiple managed network monitor entities,for instance, managed by network monitor manager 286).

Entities with MAC address issues can occur in several situations andpotentially lead to an entity remaining unclassified or low granularityclassification. For example, the situation of a MAC address not beingavailable can be caused by an unmanaged switch where an entitycommunicatively couples from which a network monitoring entity (e.g.,network monitoring device 102) is unable to read the ARP table from theunmanaged switch. Embodiments can recommend, create, or a combinationthereof, a policy to detect and flag unmanaged switches to help identifyissues with a MAC address being unavailable. For entities with privateor locally administrated MAC addresses, checks can be performed onconfigurations to ensure that a network monitoring entity (e.g., networkmonitoring device 102) can obtain alternate data (e.g., DHCP traffic,active scanning data, etc.). For entities with an unknown vendor (e.g.,unknown OUI), a recommendation of manual classification can bedetermined. A manual classification (e.g., by a user) can then be usedto improve the profile library for classification (e.g., both locallyand remotely).

A user may be prompted to confirm if a classification issue (e.g.,classification granularity below a threshold, classification confidencebelow a threshold, etc.) has been resolved after the application of oneor more recommendations.

Improvements in classification can be tracked as well. The improvementmay be used as feedback to improve classification, as described herein.For example, if an information source is available after a configurationcheck which results in drastic classification improvement that can betracked (and be part of the feedback). In some embodiments, a user maybe able to submit feedback (e.g., a rating out of five stars). Thefeedback can be used to improve the checks and the recommendations. Forexample, as each recommendation is performed, the improvement inclassification may be determined (e.g., as a percentage increase ofentities classified). The feedback may then be analyzed using machinelearning (e.g., to train a model). For example, the feedback could beused as a training data set for what recommendations worked, whatrecommendations did not work, and the degree to which the recommendationchanged or improved classification.

In some embodiments, where manual actions have been used by the user,the manual classification may be used as feedback to identifymisclassifications or improve the profile library with the manuallyentered classification.

Feedback from a user may be gathered including the results of theapplication of one or more recommendations. The feedback may include theinformation gathered from a user, the configurations checked, results ofthe configuration checks, usage information, recommendations, changesmade after recommendations, changes in classifications of one or moreentities. The feedback can be submitted (e.g., to a cloud resource orother repository) to enable further enhancement of classification andvisibility features.

In various embodiments, an entity may be classified as multiple entitiesbased on the information available matching multiple profiles and theinformation being insufficient to classify the entity as a singleentity. A notification or prompt may then be sent or presented to a userto manually classify the device.

Often the reason for unclassified entities is a lack of good data. Thiscan be thought of as:

Right configuration→right data→better classification

In some embodiments, a data quality indicator may be shown for hostinformation to indicate the quality of the data available (e.g.,available for classification). The indicator may be numerical (e.g., inthe range of 0-100) and based on a function of the available information(e.g., DHCP traffic, active scan information, SPAN traffic, etc.) andact as a scorecard for data quality. In various embodiments, a graphicaluser interface (GUI) including the data quality indicator with differentcolors (e.g., a score of 0-20 can be red, 21-40 orange, 41-79 yellow,and 80-100 green, etc.) to give visual feedback to a user. Additionally,the data quality indicator can be for a particular network portion(e.g., a particular segment, for a collection of segments, a location,etc.).

Good quality data may be defined as data including properties thatenable a classification to be above a particular threshold (e.g.,confidence threshold). Bad quality data may be defined as data includingproperties that do not enable a classification to above a particularthreshold (e.g., confidence threshold).

In some embodiments, a data quality metric or score may be determined toinform or communicate to a user the relative amount of data, e.g.,including properties for classification, that is unavailable or missingor what information could be made accessible to further improve theoverall classification. Embodiments are able to address the root causeof misclassification by addressing the data quality issue to increasethe data available and thereby the number of properties that areavailable (e.g., for classification).

In some embodiments, the data quality score may have a range of 0-100.The data quality score can indicate the data quality associated with oneor more network portions (e.g., segments), on an entity basis, or acombination thereof.

In various embodiments, the data quality score may be based on a scorecomputed using this equation:

${score} = {{\sum\limits_{1}^{n}{{weight}_{1} \times {entity\_ property}}} + {\sum\limits_{1}^{m}{{weight}_{j} \times {network\_ property}}}}$

Where weight is the weight associated with an entity property. Forexample, a weight associated with a particular entity being managed(e.g., with a lot of properties are available including, services,registry keys, vulnerability information, etc.) may be higher than aweight associated with a particular entity having open ports.

Where entity_property_(i) is the whether a particular entity property ispresent (e.g., 1) or missing (e.g., 0). In some embodiments, the entityproperty may be associated with whether an entity has a particular agentinstalled. For example, the entity_property_(i) may be the percent ofentities that are actively managed. As another example, theentity_property_(i) may be the percent of entities that have agents.

Where weight is the weight associated with a network property. Forexample, a weight associated with a DHCP property may be higher than aweight associated with an HTTP property.

Where networkproperty_(j) is whether a particular network property ispresent (e.g., 1) or missing (e.g., 0). For example, thenetworkproperty_(j) may be the percent of the network that is activelyscanned. As another example, the network_property_(j) may be the percentof network traffic available.

Where n is the number of entity properties (e.g., total number of entityproperties) and m is the number of network properties (e.g., totalnumber of network properties).

Embodiments are thus able to make a user aware of if data quality isaffecting classification of one or more entities on a network. Forexample, embodiments may display or send a notification if a particularconfiguration is changed, then classification may be improved.

In some embodiments, a GUI component includes a wizard type interfacerunning on an entity (e.g., network monitoring manager 286) managing oneor more network monitor entities (e.g., network monitoring device 102),where the wizard type interface invokes the one or more checks of one ormore configurations or usage based on information provided, as describedherein. Based on the checks, one or more recommendations can bedescribed herein. The wizard type interface may then be used to reviewand invoke one or more recommendations and associated actions, asdescribed herein.

In various embodiments, a command line interface (CLI) tool can be usedto perform the one or more checks of one or more configurations or usagebased on information provided, as described herein. Example output froma CLI tool are shown in FIGS. 4-6. In some embodiments, a VPN relatedflag may be stored in host information to identity if an entity has VPNtunneling.

Embodiments can determine data source issues on any network portion(e.g., one or more segments) and determine information or suggestions toresolve issues with data sources (e.g., change network configuration oraccess to enable access to data for classification). When embodimentsare performed or executed on an entity managing (e.g., networkmonitoring manager 286) one or more network monitoring entities (e.g.,one or more of network monitoring device 102), host information for eachnetwork monitoring entity can be analyzed and statistics shown (e.g.,how many entities are visible and how many entities cannot beclassified) related to each network monitoring entity. The statisticscan include information associated with which properties and associatedinformation are missing, e.g., SPAN information, DHCP information,active properties, etc. The data sources of each property may also beindicated and whether the data source is active or inactive. Thisinformation may give a user an idea if a portion of a network monitoringentity, a switch or other network device, or another network portion ismisconfigured. In some embodiments, machine learning may be used togenerate the suggestions on how to remedy limited classification orvisibility situations.

Embodiments may operate in a distributed manner which allows scaling tothe network size. A managing entity (e.g., network monitor manger 286)may push or install embodiments onto managed entities (e.g., networkmonitor devices 280-282) which the perform or execute embodiments. Insome embodiments, the managing entity may be a cloud based entity.(e.g., executes or performs actions based on executing in a cloud). Themanaged entities (e.g., network monitor devices 280-282) may thenperform the checks and determine recommendations, as described herein,and the results may be sent to a managing entity. This can allowmonitoring of the data quality on each network portion associated witheach network monitoring entity and associated metric or scores for eachnetwork monitoring entity. The data quality on each network portionassociated with each monitoring entity and associated metrics or scorescan be used to determine criticality (e.g., how critical the riskassociated with a network portion is) of the one or more networksassociated with the network monitoring entity.

Embodiments enable better understanding of deployment scenarios of anetwork monitoring entity (e.g., network monitor device 102) and bestpractices of users from different verticals (e.g., healthcare,financial, manufacturing, etc.). For example, a hospital or financialcompany may have a flatter network so it may be common for some switchlogin information may not be configured in a network monitoring entitywhich may result in host MAC address information being unavailable.Traditional IT companies may lack devices or ports to provide SPAN ormirror traffic, etc. This enables embodiments the possibility to providecustom configuration/deployment recommendations tailored to each user.For example, equipment recommendations of a list of specification can beprovided.

Embodiments are operable to determine the areas where visibility islimited and provide information to a user to resolve limited visibilitysituations. Embodiments are able to analyze the available properties andother information and information of the causes of the limitedvisibility. The correlation of the available properties, otherinformation, and information of the causes of the limited visibilityenables correction of the causes of limited visibility solutions.Embodiments are able to enhance or refine the recommendations over timeas feedback based on recommendations and the changes in classificationafter the recommendations are implemented. This can be performed using acloud based resource or other repository for uploading recommendationsand classification results after performance of each recommendation andproviding information that can be used for determining recommendationsand properties that are unavailable.

Embodiments may further advantageously be used as part of a setupprocess for a network monitor entity (e.g., network monitor device 102).For example, an initial setup may be done of a network monitor entity(e.g., network monitor devices 102, 280-282) and then embodiments may beused to determine if information for classification is unavailable tothe network monitor entity and to determine one or more recommendationsor actions that can be used to enable more information to be availablefor classification. Embodiments can thereby accelerate setup byidentifying information that is unavailable for classification anddetermining one or more actions that can be taken to make theinformation for classification available.

Embodiments advantageously help resolve classification issues in anautomated manner by identifying one or more properties unavailable innetwork traffic and data sources associated therewith. Embodimentsenable understanding of current classification status and relation ofthe configuration of a network, configuration of a network monitoringentity, and other configurations, thereby enabling identification andresolving of areas where classification is limited. This enables usersto learn where they can improve the configuration of their environmentfor maximum visibility. Visibility is also a precursor to classificationso maximal visibility is key to achieving maximal classification.Embodiments thus allow a user to see where their visibility blind spotsare and improve discovery and classification.

Advantageously, embodiments are configured for improving classificationby identifying data (e.g., including properties) that is unavailable forclassification and determining recommendations for increasing the dataavailable for classification. The recommendations can include changes toconfigurations of network devices, updates to the profile library, inputof credentials for network devices, etc. Embodiments thus enableincreasing data including properties to improve classification.

Accordingly, described herein in various implementations are systems,methods, techniques, and related technologies, which enable improvedclassification. As described herein, improved classification can beenabled by the determination of recommendations to enable more data,including properties, to be available for classification.

It can be appreciated that the described technologies are directed toand address specific technical challenges and longstanding deficienciesin multiple technical areas, including but not limited to networksecurity, monitoring, and policy enforcement. It can be furtherappreciated that the described technologies provide specific, technicalsolutions to the referenced technical challenges and unmet needs in thereferenced technical fields.

An entity or entities, as discussed herein, include devices (e.g.,computer systems, for instance laptops, desktops, servers, mobiledevices, IoT devices, OT devices, healthcare devices, financial devices,etc.), network devices or infrastructure (e.g., firewall, switch, accesspoint, router, enforcement point, etc.), endpoints, virtual machines,services, serverless services (e.g., cloud based services), containers(e.g., user-space instances that work with an operating system featuringa kernel that allows the existence of multiple isolated user-spaceinstances), cloud based storage, accounts, and users. Depending on theentity, an entity may have an IP address (e.g., a device) or may bewithout an IP address (e.g., a serverless service).

Enforcement points including firewalls, routers, switches, cloudinfrastructure, other network devices, etc., may be used to enforcesegmentation on a network (and different address subnets may be used foreach segment) and restricting communications between one or more networkportions. Enforcement points may enforce segmentation by filtering ordropping packets according to the network segmentation policies/rules.

The enforcement points may be one or more network devices (e.g.,firewalls, routers, switches, virtual switch, hypervisor, SDNcontroller, virtual firewall, etc.) that are able to enforce access orother rules, ACLs, or the like to control (e.g., allow or deny)communication and network traffic (e.g., including dropping packets)between the entity and one or more other entities communicativelycoupled to a network. Access rules may control whether an entity cancommunicate with other entities in a variety of ways including, but notlimited to, blocking communications (e.g., dropping packets sent to oneor more particular entities), allowing communication between particularentities (e.g., a desktop and a printer), allowing communication onparticular ports, etc. It is appreciated that an enforcement point maybe any device that is capable of filtering, controlling, restricting, orthe like communication or access on a network.

Operational Technology (OT) can include devices from a wide variety ofindustries, including, but not limited to, medical systems, electricalsystems (e.g., power generation, power distribution, and other powerutility devices and infrastructure), oil and gas plants, miningfacilities, manufacturing systems, water distribution systems, chemicalindustry systems, pharmaceutical systems, infrastructure systems (e.g.,used with roads, railways, tunnels, bridges, dams and buildings), andother industrial control systems.

FIG. 1 depicts an illustrative communication network 100, in accordancewith one implementation of the present disclosure. The communicationnetwork 100 includes a network monitor device 102, a network device 104,an aggregation device 106, a system 150, devices 120 and 130, andnetwork coupled devices 122 a-b. The devices 120 and 130 and networkcoupled devices 122 a-b may be any of a variety of devices or entitiesincluding, but not limited to, computing systems, laptops, smartphones,servers, Internet of Things (IoT) or smart devices, supervisory controland data acquisition (SCADA) devices, operational technology (OT)devices, campus devices, data center devices, edge devices, etc. It isnoted that the devices of communication network 100 may communicate in avariety of ways including wired and wireless connections and may use oneor more of a variety of protocols.

Network device 104 may be one or more network devices configured tofacilitate communication among aggregation device 106, system 150,network monitor device 102, devices 120 and 130, and network coupleddevices 122 a-b. Network device 104 may be one or more network switches,access points, routers, firewalls, hubs, etc.

Network monitor device 102 may be operable for a variety of tasksincluding performing classification of entities of network 100,determining one or more checks (e.g., for data availability) based onthe classification, determining one or more data sources that areunavailable, determining one or more properties that are unavailable,and determine one or more recommendations to increase data available forclassification, as described herein. Network monitor device 102 mayfurther perform one or more of the one or more recommendationsautomatically (e.g., without user involvement), upon user selection, ora combination thereof, as described herein.

Network monitor device 102 may provide an interface (e.g., a commandline interface (CLI) or graphical user interface (GUI)) for viewing andmonitoring classification along with data available for classificationand data unavailable for classification. This can include a data qualitymetric or score, as described herein, along with associated statistics.Network monitor device 102 thereby is able to provide details of thecurrent state of classification and indicators of where data inunavailable and one or more recommendations of how to increase dataavailability and thereby improve classification.

Network monitor device 102 may further perform a variety of operationsincluding identification, classification, and taking one or moreremediation actions (e.g., changing network access of an entity,changing the virtual local area network (VLAN), sending an email,sending a short message service (SMS) message, active actions, passiveactions, etc.), as described herein.

Network monitor device 102 may be a computing system, network device(e.g., router, firewall, an access point), network access control (NAC)device, intrusion prevention system (IPS), intrusion detection system(IDS), deception device, cloud-based device, virtual machine basedsystem, etc. Network monitor device 102 may be an enforcement pointincluding, but not limited to, a router, firewall, switch, hypervisor,software-defined networking (SDN) controller, virtual firewall, a nextgeneration firewall (NGFW), cloud infrastructure, or other networkdevice or infrastructure device.

Network monitor device 102 may be communicatively coupled to the networkdevice 104 in such a way as to receive network traffic flowing throughthe network device 104 (e.g., port mirroring, sniffing, acting as aproxy, passive monitoring, etc.). In some embodiments, network monitordevice 102 may include one or more of the aforementioned devices. Invarious embodiments, network monitor device 102 may further support highavailability and disaster recovery (e.g., via one or more redundantdevices).

In some embodiments, network monitor device 102 may monitor a variety ofprotocols (e.g., Samba, hypertext transfer protocol (HTTP), secure shell(SSH), file transfer protocol (FTP), transfer control protocol/internetprotocol (TCP/IP), user datagram protocol (UDP), Telnet, HTTP oversecure sockets layer/transport layer security (SSL/TLS), server messageblock (SMB), point-to-point protocol (PPP), remote desktop protocol(RDP), windows management instrumentation (WMI), windows remotemanagement (WinRM), proprietary protocols, etc.).

The monitoring of entities by network monitor device 102 may be based ona combination of one or more pieces of information including trafficanalysis, information from external or remote systems (e.g., system150), communication (e.g., querying) with an aggregation device (e.g.,aggregation device 106), and querying the entity itself (e.g., via anAPI, CLI, web interface, SNMP, etc.), which are described furtherherein. Network monitor device 102 may be operable to use one or moreAPIs to communicate with aggregation device 106, device 120, device 130,or system 150. Network monitor device 102 may monitor for or scan forentities that are communicatively coupled to a network via a NAT device(e.g., firewall, router, etc.) dynamically, periodically, or acombination thereof.

Information from one or more external or 3^(rd) party systems (e.g.,system 150) may further be used for determining one or more tags orcharacteristics for an entity. For example, a vulnerability assessment(VA) system may be queried to verify or check if an entity is incompliance and provide that information to network monitor device 102.External or 3^(rd) party systems may also be used to perform a scan or acheck on an entity to determine a software version.

Device 130 can include agent 140. The agent 140 may be a hardwarecomponent, software component, or some combination thereof configured togather information associated with device 130 and send that informationto network monitor device 102. The information can include the operatingsystem, version, patch level, firmware version, serial number, vendor(e.g., manufacturer), model, asset tag, software executing on an entity(e.g., anti-virus software, malware detection software, officeapplications, web browser(s), communication applications, etc.),services that are active or configured on the entity, ports that areopen or that the entity is configured to communicate with (e.g.,associated with services running on the entity), media access control(MAC) address, processor utilization, unique identifiers, computer name,account access activity, etc. The agent 140 may be configured to providedifferent levels and pieces of information based on device 130 and theinformation available to agent 140 from device 130. Agent 140 may beable to store logs of information associated with device 130. Networkmonitor device 102 may utilize agent information from the agent 140.While network monitor device 102 may be able to receive information fromagent 140, installation or execution of agent 140 on many entities maynot be possible, e.g., IoT or smart devices.

System 150 may be one or more external, remote, or third party systems(e.g., separate) from network monitor device 102 and may haveinformation about devices 120 and 130 and network coupled devices 122a-b. System 150 may include a vulnerability assessment (VA) system, athreat detection (TD) system, endpoint management system, a mobiledevice management (MDM) system, a firewall (FW) system, a switch system,an access point system, etc. Network monitor device 102 may beconfigured to communicate with system 150 to obtain information aboutdevices 120 and 130 and network coupled devices 122 a-b on a periodicbasis, as described herein. For example, system 150 may be avulnerability assessment system configured to determine if device 120has a computer virus or other indicator of compromise (IOC).

The vulnerability assessment (VA) system may be configured to identify,quantify, and prioritize (e.g., rank) the vulnerabilities of an entity.The VA system may be able to catalog assets and capabilities orresources of an entity, assign a quantifiable value (or at least rankorder) and importance to the resources, and identify the vulnerabilitiesor potential threats of each resource. The VA system may provide theaforementioned information for use by network monitor device 102.

The advanced threat detection (ATD) or threat detection (TD) system maybe configured to examine communications that other security controlshave allowed to pass. The ATD system may provide information about anentity including, but not limited to, source reputation, executableanalysis, and threat-level protocols analysis. The ATD system may thusreport if a suspicious file has been downloaded to a device beingmonitored by network monitor device 102.

Endpoint management systems can include anti-virus systems (e.g.,servers, cloud based systems, etc.), next-generation antivirus (NGAV)systems, endpoint detection and response (EDR) software or systems(e.g., software that record endpoint-system-level behaviors and events),compliance monitoring software (e.g., checking frequently forcompliance).

The mobile device management (MDM) system may be configured foradministration of mobile devices, e.g., smartphones, tablet computers,laptops, and desktop computers. The MDM system may provide informationabout mobile devices managed by MDM system including operating system,applications (e.g., running, present, or both), data, and configurationsettings of the mobile devices and activity monitoring. The MDM systemmay be used get detailed mobile device information which can then beused for device monitoring (e.g., including device communications) bynetwork monitor device 102.

The firewall (FW) system may be configured to monitor and controlincoming and outgoing network traffic (e.g., based on security rules).The FW system may provide information about an entity being monitoredincluding attempts to violate security rules (e.g., unpermitted accountaccess across segments) and network traffic of the entity beingmonitored.

The switch or access point (AP) system may be any of a variety ofnetwork devices (e.g., network device 104 or aggregation device 106)including a network switch or an access point, e.g., a wireless accesspoint, or combination thereof that is configured to provide an entityaccess to a network. For example, the switch or AP system may provideMAC address information, address resolution protocol (ARP) tableinformation, device naming information, traffic data, etc., to networkmonitor device 102 which may be used to monitor entities and controlnetwork access of one or more entities. The switch or AP system may haveone or more interfaces for communicating with IoT or smart devices orother devices (e.g., ZigBee™, Bluetooth™, etc.), as described herein.The VA system, ATD system, and FW system may thus be accessed to getvulnerabilities, threats, and user information of an entity beingmonitored in real-time which can then be used to determine a risk levelof the entity.

Aggregation device 106 may be configured to communicate with networkcoupled devices 122 a-b and provide network access to network coupleddevices 122 a-b. Aggregation device 106 may further be configured toprovide information (e.g., operating system, entity softwareinformation, entity software versions, entity names, applicationpresent, running, or both, vulnerabilities, patch level, etc.) tonetwork monitor device 102 about the network coupled devices 122 a-b.Aggregation device 106 may be a wireless access point that is configuredto communicate with a wide variety of devices through multipletechnology standards or protocols including, but not limited to,Bluetooth™, Wi-Fi™, ZigBee™, Radio-frequency identification (RFID),Light Fidelity (Li-Fi), Z-Wave, Thread, Long Term Evolution (LTE),Wi-Fi™ HaLow, HomePlug, Multimedia over Coax Alliance (MoCA), andEthernet. For example, aggregation device 106 may be coupled to thenetwork device 104 via an Ethernet connection and coupled to networkcoupled devices 122 a-b via a wireless connection. Aggregation device106 may be configured to communicate with network coupled devices 122a-b using a standard protocol with proprietary extensions ormodifications.

Aggregation device 106 may further provide log information of activityand properties of network coupled devices 122 a-b to network monitordevice 102. It is appreciated that log information may be particularlyreliable for stable network environments (e.g., where the types ofdevices on the network do not change often). The log information mayinclude information of updates of software of network coupled devices122 a-b.

FIG. 2 depicts an illustrative network topology in accordance with oneimplementation of the present disclosure. FIG. 2 depicts an examplenetwork 200 with multiple enforcement points (e.g., firewalls 202-206and switches 210-220) and a network monitor devices 280-282 (e.g.,network monitor device 102) which can perform classification, asdescribed herein, associated with the various entities communicativelycoupled to example network 200. Network monitor devices 280-282 canfurther determine one or more checks to determine if data, includingproperties, is unavailable for classification and determine one or morerecommendations to increase the data (e.g., and properties) availablefor classification, as described herein. The information gathered bynetwork monitor devices 280-282 can be used to make changes (e.g.,changes to network infrastructure configuration, etc.) to increaseclassification, etc., as described herein.

Example network 200 further includes network monitor manger 286 which isconfigured to manage network monitor devices 280-282. In someembodiments, network manager 286 is configured to manage classificationof entities of example network 200. Network monitor manager 286 isoperable to render, display, etc., a dashboard of various entitystatistics and data from network monitor device 280-282. This caninclude entity classifications, data quality metrics, recommendations,etc., as described herein. This information may also be displayed orrendered by network monitor devices 280-282. Network monitor manager 286may initiate one or more checks by network monitor devices 280-282 tocheck for data availability for classification, as described herein.Network monitor manger 286 may further aggregate, compile, etc., aplurality of recommendations for increasing data available forclassification of the entities throughout example network 200 asdetermined by network monitor device 280-282. In some embodiments,network monitor manager 286 may be a cloud based entity (e.g., and beaccessible via Internet 250). Network monitor manager 286 may monitorthe version of the profile libraries of network monitor devices 280-282to ensure that their profile libraries are up to date or current.

FIG. 2 shows example devices 230-262 (e.g., devices 106, 122 a-b, 120,and 130, other physical or virtual devices, other entities, etc.) and itis appreciated that more or fewer network devices or other entities maybe used in place of the devices of FIG. 2. Example devices 230-262 maybe any of a variety of devices or entities (e.g., OT devices, IoTdevices, IT devices, etc.), as described herein. Enforcement pointsincluding firewalls 202-206 and switches 210-220 may be any entity(e.g., network device 104, cloud infrastructure, etc.) that is operableto allow traffic to pass, drop packets, restrict traffic, etc. Networkmonitor devices 280-282 may be any of a variety of network devices orentities, e.g., router, firewall, an access point, network accesscontrol (NAC) device, intrusion prevention system (IPS), intrusiondetection system (IDS), deception device, cloud-based device or entity,virtual machine based system, etc. Network monitor devices 280-282 maybe substantially similar to network monitor device 102. Embodimentssupport IPv4, IPv6, and other addressing schemes. In some embodiments,network monitor devices 280-282 may be communicatively coupled withfirewalls 202-206 and switches 210-220 through additional individualconnections (e.g., to receive or monitor network traffic throughfirewalls 202-206 and switches 210-220).

Switches 210-220 communicatively couple the various devices of network200 including firewalls 202-206, network monitor devices 280-282, anddevices 230-262. Firewalls 202-206 may perform network addresstranslation (NAT) and firewall 202 may communicatively couple thedevices 230-234, which are behind the firewall 202, with network monitordevice 280, switch 210, and firewall 206. Firewall 206 communicativelycouples network 200 to Internet 250 and firewall 206 may restrict orallow access to Internet 250 based on particular rules or ACLsconfigured on firewall 206. Firewalls 202-206 and switches 210-220 areenforcement points, as described herein.

Network monitor devices 280-282 are configured to identify, classify,determine one or more characteristics or properties of entities (e.g.,devices 230-262), determine one or more checks for data available forclassification, determine data and properties that are unavailable,determine one or more recommendations to increase data available forclassification on network 200, as described herein. Network monitordevices 280-282 can access network traffic from network 200 (e.g., viaport mirroring or SPAN ports of firewalls 202-206 and switches 210-220).Network monitor devices 280-282 can perform passive scanning of networktraffic by observing and accessing portions of packets from the networktraffic of network 200. Network monitor devices 280-282 may perform anactive scan of an entity of network 200 by sending one or more requeststo the entity of network 200. The information from passive and activescans of entities of network 200 can be used to classify the entity ofnetwork 200, determine one or more checks for data availability, anddetermine one or more recommendations to increase data available forclassification, as described herein. The increase in data available forclassification thereby allows improved classification.

As shown, network 200 includes network portions 290-292. Networkportions 290-292 may be VLANs, SSIDs, segments, subnetworks, etc.Network monitor devices 280-282 may determine classifications for eachentity of network portions 290-292 (e.g., based on data available oneach of the network portions 290-292, etc.), as described herein. One ormore of network portions 290-292 may be selected (e.g., by a user) forclassification improvement by embodiments, as described herein.

For example, if SPAN traffic is unavailable from switch 210 then networkmonitor device 280 may not receive DHCP traffic, HTTP traffic, activescanning traffic, etc., which may result in limited granularity ofdevices 260-262, devices 260-262 being classified as multiple devices,or devices 260-262 being classified as unknown. Network monitor device280 may determine one or more checks to be performed (e.g., for dataavailable for classification) and perform the one or more checks, asdescribed herein. Network monitor device 280 may determine one or morerecommendations based on the one or more checks performed. Therecommendations may include a recommendation to reconfigure or enablethe SPAN port on switch 210 to send traffic to network monitor device280. This recommendation could also be determined if traffic in only onedirection (e.g., unidirectional traffic) is being received by networkmonitor device 280.

As another example, if MAC address information for device 260-262 isunavailable to network monitor device 280, the classification of devices260-262 could be of limited granularity, multiple classifications, orunknown classifications. Network monitor device 280 may perform one ormore checks (e.g., for network infrastructure credentials, etc.) anddetermine a recommendation to a user to provide or input into networkmonitor device 280 the credentials for switch 210. Network monitordevice 280 can then access the ARP table of switch 210 and access theMAC addresses of devices 260-262 from the ARP table to classify devices260-262.

Network monitor devices 280-282 may as part of the checks, check theversion of the local profile library against the currently availableprofile library (e.g., available via Internet 250). If the local profilelibrary is out of date, network monitor devices 280-282 may update thelocal profile library thereby increasing or improving the fingerprintsavailable for classification.

With reference to FIG. 3, flowchart 300 illustrates example operationsused by various embodiments. Although specific operation blocks(“blocks”) are disclosed in flowchart 300, such blocks are examples.That is, embodiments are well suited to performing various other blocksor variations of the blocks recited in flowchart 300. It is appreciatedthat the blocks in flowchart 300 may be performed in an order differentthan presented, and that not all of the blocks in flowchart 300 may beperformed.

FIG. 3 depicts a flow diagram of aspects of a method for determining adata source to enhance classification in accordance with oneimplementation of the present disclosure. Various portions of flowchart300 may be performed by different components (e.g., components of system700) of an entity (e.g., network monitor device 102 or network monitordevice 280). Flowchart 300 depicts a process for determining one or morechecks for properties and one or more data sources that are unavailable,determining one or more recommendations associated with one or more datasources, and (optionally) performing one or more actions (e.g., changinga network configuration, sending or presenting a notification, etc.), asdescribed herein. Flowchart 300 may be performed after an initialclassification.

At block 302, traffic data is accessed. The traffic may be accessed by anetwork monitoring entity (e.g., network monitoring devices 102 or280-282) via a port mirroring or SPAN port. The traffic data may includeone or more properties for each entity communicatively coupled to one ormore networks. The traffic may include active scanning properties (e.g.,if active scanning is enabled).

At block 304, configuration and metadata are accessed. The configurationand metadata accessed may be configuration data and metadata of anetwork monitoring entity (e.g., network monitoring devices 102 or280-282). This can include properties that the network monitoring entityis monitoring or collecting, software versions (e.g., of the profilelibrary of the network monitoring entity), plugin or module version(e.g., that may be able to access data, for instance from othersystems), etc., and the internal configuration or settings of thenetwork monitoring entity (e.g., network monitoring devices 102 or280-282). In some embodiments, one or more properties associated withone or more entities managed by a network monitoring entity.

At block 306, vertical or environment data and other user associateddata is accessed. The data accessed may include vertical (e.g.,industry), environment (e.g., branch, data center, campus, etc.), one ormore selected (e.g., by a user) segments or network portions where thereare issues (e.g., classification issues). In some embodiments, variousinformation (e.g., vertical, common type of devices for the network ornetwork portions, segments, areas with classification issues, etc.) maybe obtained from a user (e.g., based on user entry, for instance, inresponse to a prompt to provide the information).

At block 308, data is accessed from third party systems (e.g., system150, an external system, etc.). The data from third party systems may beaccessed from the third party systems via a plugin or module of thenetwork monitoring entity. For example, this data could be accessed froma variety of systems including, but not limited to, a vulnerabilityassessment (VA) system, a threat detection (TD) system, endpointmanagement system, a mobile device management (MDM) system, a firewall(FW) system, a switch system, an access point system, a WMI script,network infrastructure, an entity itself, etc.

At block 310, one or more checks to be performed are determined. In someembodiments, the checks may be determined based on a classification ofan entity meeting a condition. The condition can include at least one ofa classification confidence value associated with the classificationbeing below a threshold, a plurality of classifications associated withthe entity, or an unknown classification. The one or more checks may bedetermined based on the data accessed (e.g., from the traffic,configuration and metadata, vertical or environment data and other userassociated data, data from third party systems, etc.) and customized forthe environment or entity types present. For example, the one or morechecks determined for a hospital may include checks for DICOMcommunications whereas the one or more checks determined for an OTenvironment may not include checks for DICOM communications but insteadfor communications using common OT protocols.

At block 312, the one or more checks are performed. The checks may beperformed based on the data available for classification, as describedherein. In some embodiments, the performing of the checks includescomputing metrics for data quality, data quality statistics, statisticsfor data sources (e.g., as shown in FIGS. 4-6), as described herein.

At block 314, one or more recommendations are determined. Therecommendations may be based on a determination of which information ordata is unavailable (e.g., from the traffic, configuration and metadata,vertical or environment data and other user associated data, data fromvarious systems, etc.) based on the checks, as described herein. In someembodiments, one or more recommendations may be based on a determinationof one or more properties that are unavailable in the informationavailable from a system (e.g., an external system, an entity itself,etc.). The recommendations may also be based on a determined dataquality, where a low data quality score may be used to determinerecommendations. The recommendations may be ordered based oncriticality, as described herein.

For example, some of the recommendations may be for resolving one ormore entities being classified as unknown due to issues with a profilelibrary as well as data quality or availability issues. If there were 50devices that were classified as unknown based on having a singleproperty for each device, that could be a data quality issue and therecommendations could include configuration changes to increase the dataavailable for classification. If there were another 50 devices that wereclassified as unknown based on having five properties for each device,that could be a profile library issue and the recommendations couldinclude updating the profile library.

The recommendations may be determined as text (e.g., instructions orlists of updates, configuration or other changes that could be made toincrease data availability) or as automated actions (e.g., thatperformed automatically, for instance, without user input, or invokedvia a button in a user interface). In some embodiments, thedetermination of recommendations may include determining updates,configuration changes, etc., to make MAC address information available,make DHCP information available, make VPN information available, anddetermine an ordering of the updates, configuration changes, etc., thatshould be performed, as described herein.

At block 316, one or more recommendations are displayed. Therecommendations may be displayed in a command line interface orgraphical user interface. The recommendations may be displayed based onorder of priority or criticality, as described herein.

At block 318, one or more recommendations are performed. In someembodiments, the recommendations may be performed automatically orinvoked via a button in a user interface. In various embodiments, therecommendations may be performed based on user input to perform specificrecommendations.

At block 320, feedback is determined based on the one or morerecommendations performed. The feedback may be based on improvement ofclassification for each recommendation performed, as described herein.

At block 322, the feedback is sent. The feedback may be sent to a cloudbased resource or other repository where the feedback can be used tofurther improve the check determinations, the one or more checks, theone or more recommendation determinations, and classification.

Block 302 may then be performed, e.g., on a periodic, prompt (e.g., userprompted basis), a schedule, cloud service based schedule, or based on apolicy. For example, a policy may be created for entities, networkportions, etc., that are associated with low or poor data quality (e.g.,below a threshold). The policy can automatically invoke process 300 inresponse to low data quality for the one or more entities, networkportions, etc., associated with the low data quality (and reducedclassification).

While example user interfaces 400-600 of FIGS. 4-6 may be described withrespect to devices or device groups, embodiments support other entities(e.g., users, services, etc.). User interfaces 400-600 may be renderedor displayed by an entity or device (e.g., network monitor device 102 ornetwork monitor devices 280-282, network monitor manager 286). Theexample user interfaces 400-600 may be command line interfaces,graphical user interfaces, etc. The example user interfaces 400-600 maybe part of a dashboard, webpage, and be based on cloud collectedinformation (e.g., from one or more networks) and based on informationfrom one or more network monitoring devices (e.g., network monitordevice 102 or 280-282).

FIG. 4 depicts a diagram of aspects of an example command line interfaceincluding data quality in accordance with one implementation of thepresent disclosure. A data health indicator or data quality metric canrepresent an overall metric for how much data is available to be usedfor visibility, classification, etc. Example interface 400 is configuredfor viewing variation of classification coverage based on data quality.Example interface 400 includes description of data quality 402 and table404.

Example user interface 400 includes a summary of the results of theprevious checks (e.g., checks for data) and a summary result of how wellthe available data is being used for visibility or classification. Insome embodiments, a button or option may be presented that allow viewingof additional statistics or show changes that can be made to increasedata availability or reduce the amount of unavailable data.

In various embodiments, a data quality metric can be based on having anumber of points or score associated with data being unavailable fromvarious sources of information. For example, SPAN traffic beingunavailable could be associated with a score of 30 points or DHCPtraffic being unavailable could be worth 20 points (where a higher scoreis worse). As another example, having a single unclassified device couldbe worth one point whereas 50 unclassified devices could be worth 50points.

Table 404 depicts percentages of coverage of entities associated withvarious numbers of properties. Table 404 includes column 410 and column412. Column 410 includes the host property count or number of propertiesassociated with the entities being classified. Column 412 includes theoperating system (OS) or function coverage percentage for the number ofproperties in the associated row of column 410. The coverage percentagereflects that the more data or properties available the better theconfiguration (e.g., network device configuration, plugin or moduleconfiguration, etc.) and the better visibility. For example, FIG. 4shows that when there are greater than seven properties available foreach host or entity, 100% of the OS or function is known or classified.This shows that the better the configuration, the more data available,and thereby the better the classification.

FIG. 5 depicts a diagram of aspects of an example command line interfaceincluding data quality statistics in accordance with one implementationof the present disclosure. Example graphical user interface (GUI) 500 isconfigured for viewing various data quality statistics associated withclassification.

Example GUI 500 includes table 502. Table 502 shows data qualitystatistics on an endpoint (e.g., device or entity) basis. Exampleinterface 500 depicts that active scanning properties, DHCP properties,hostinfo, and MAC address information are unavailable for variouspercentages of endpoints. This can be indicative that there areinformation availability or configuration issues that could be reducingclassification quality or accuracy that should be resolved to improveclassification. For example, this could be caused by DHCP traffic orother traffic not being available via one or more SPAN ports on anetwork.

The percentages of table 502 can help a user understand where to makechanges to allow data relevant to classification to be made available.For example, the percentage of endpoints with no MAC address canindicate that access to certain network equipment is unavailable (e.g.,credentials for particular network switches are unavailable so the ARPtables of those switches are unavailable).

Table 502 further indicates whether manual actions have been used toclassify the Function/OS of entities of a network. For example, byindicating Yes or No in relation to Function/OS classified by ManualAction as shown in FIG. 5.

Embodiments can further support statistics of associated with entitiesassociated with misclassifications, multiple classifications, DICOM,unidirectional traffic, etc. In some embodiments, a criticality may beassociated with each type of information. For example, having thefunction or operating system may be critical for each entity whilehaving active scan traffic may not be as critical. Changes can bedetermined with respect to data sources (SPAN traffic, DHCP traffic,etc.) associated with critical properties (e.g., function, operatingsystem, etc.). The changes determined to be associated with criticalproperties can be presented or displayed (e.g., to a user) first or withan indicator to reflect the critical nature of the associated propertyor data source. This can thereby encourage the changes associated withcritical properties or data sources to be performed first.

In some embodiments, network monitoring entities may be ranked and thesegments associated with each network monitoring entity may be rankedbased critical properties that are unavailable. This can be based on thenetwork monitoring entities and segments having differentconfigurations. This can allow prioritization of which network portionsto focus on first.

FIG. 6 depicts a diagram of aspects of an example command line interfaceincluding statistics of data sources contributing to host information inaccordance with one implementation of the present disclosure. Examplegraphical user interface (GUI) 600 is configured for viewing riskstatistics of sources of information that contribute toward endpointhostinfo or host information. Example GUI 600 includes table 602 whichincludes columns 604 and 606.

Table 602 indicates whether a source of information is available(e.g., >0%) or unavailable (e.g., 0%). The percentage being greater thanzero reflects that properties associated with that source are available.A percentage of zero indicates that the source or data source isunavailable. If the percentage is zero, that may indicate that thesource is unavailable or there is a configuration issue with the datasource. For example, if the SPAN traffic source is associated with zeropercent of endpoints, that would indicate that one or more SPAN portsare not configured correctly. As another example, if a VPN data sourceis associated with a zero percent of endpoints, that may indicate that aVPN plugin or module is not configured, is not functioning, etc.

Sources of data are listed in column 604. Column 606 shows thepercentage of endpoints for which a particular data source provides dataor properties. IP Helper is a general data source that provides generalnetwork information (e.g., IP addresses, etc.) associated with entities.In some embodiments, the information sources are associated with pluginsfor a network monitoring entity (e.g., network monitoring device 102)for interfacing with various sources of information (e.g., switches,cloud resources, SPAN, Nmap, VPN resources, virtual environments, etc.).

For example, table 602 depicts that information from switches areavailable for 68.01% of the endpoints, DNS information is available for1% of the switches, and Azure information is unavailable or notavailable for any of the endpoints.

Example interface 600 may include more or fewer information sourcesbased on an environment or vertical is being monitored or scanned. Forexample, an information technology environment might not have OTinformation sources available. As another example, an OT environmentmight not have a Windows™ information source or virtual environment(e.g., VMware™) information source available. In some embodiments, thelist of information sources is tailored based on the informationgathered, as described herein, e.g., vertical, types of devices commonlyencountered in the environment, device types and segments where there isa classification issue, etc.

FIG. 7 illustrates example components used by various embodiments.Although specific components are disclosed in system 700, it should beappreciated that such components are examples. That is, embodiments arewell suited to having various other components or variations of thecomponents recited in system 700. It is appreciated that the componentsin system 700 may operate with other components than those presented,and that not all of the components of system 700 may be required toachieve the goals of system 700.

FIG. 7 depicts illustrative components of a system for determining adata source to enhance classification in accordance with oneimplementation of the present disclosure. Example system 700 orclassifier 700 includes a network communication interface 702, anexternal system interface 704, a traffic monitor component 706, a dataaccess component 708, a check determination component 710, a checkperforming component 712, a display component 714, a notificationcomponent 716, an action component 718, a recommendation determinationcomponent 720, a recommendation performing component 722, and a feedbackcomponent 724. The components of system 700 may be part of a computingsystem or other electronic device (e.g., network monitor device 102 ornetwork monitor devices 280-282) or a virtual machine or device and beoperable to monitor one or more entities communicatively coupled to anetwork, monitor network traffic, and classify the one or more entities,as described herein. For example, the system 700 may further include amemory and a processing device, operatively coupled to the memory, whichmay perform the operations of or execute the components of system 700.The components of system 700 may access various data and characteristicsor properties associated with an entity (e.g., network communicationinformation or traffic), data associated with one or more entities(e.g., from network devices, local resources, cloud resources, externalsystems, for instance system 150), etc., as described herein. It isappreciated that the modular nature of system 700 may allow thecomponents to be independent and allow flexibility to enable or disableindividual components or to extend, upgrade, or combination thereofcomponents without affecting other components thereby providingscalability and extensibility. System 700 may perform one or more blocksof flow diagram 300.

Communication interface 702 is operable to communicate with one or moreentities (e.g., network device 104, firewalls 202-206, switches 210-220,other devices coupled thereto, devices 230-262, etc.) coupled to anetwork that are coupled to system 700 and receive or access informationabout entities (e.g., device information, device communications, devicecharacteristics, properties, etc.), access information as part of apassive scan, send one or more requests as part of an active scan,receive active scan results or responses (e.g., responses to requests),as described herein. The communication interface 702 may be operable towork with one or more components to initiate access to characteristicsor determination of characteristics of an entity to allow determinationof one or more properties which may then be used for device compliance,asset management, standards compliance, classification, identification,etc., as described herein. Communication interface 702 may be used toreceive and store network traffic for determining properties, asdescribed herein.

External system interface 704 is operable to communicate with one ormore third party, remote, or external systems to access informationincluding characteristics or attributes associated with an entity.External system interface 704 may further store the accessed informationin a data store. For example, external system interface 704 may accessinformation from a vulnerability assessment (VA) system to enabledetermination of one or more compliance or risk characteristicsassociated with the entity. External system interface 704 may beoperable to communicate with a vulnerability assessment (VA) system, anadvanced threat detection (ATD) system, a mobile device management (MDM)system, a firewall (FW) system, a switch system, an access point (AP)system, etc. External system interface 704 may query a third partysystem using an API or CLI. For example, external system interface 704may query a firewall or a switch for information (e.g., network sessioninformation) about an entity or for a list of entities (e.g., an ARPtable) that are communicatively coupled to the firewall or switch andcommunications associated therewith. In some embodiments, externalsystem interface 704 may query a switch, a firewall, or other system forinformation of communications or properties associated with an entity.

Traffic monitor component 706 is operable to monitor network traffic todetermine if a new entity has joined the network or an entity hasrejoined the network and monitor traffic for analysis by checkdetermination component 710, check performing component 712,recommendation determination component 720, recommendation performingcomponent 722, and feedback component 724, among others, as describedherein. Traffic monitor component 706 may have a packet engine operableto access packets of network traffic (e.g., passively) and analyze thenetwork traffic. The traffic monitor component 706 may further be ableto access and analyze traffic logs from one or more entities (e.g.,network device 104, system 150, or aggregation device 106) or from anentity being monitored. The traffic monitor component 706 may further beable to access traffic analysis data associated with an entity beingmonitored, e.g., where the traffic analysis is performed by a thirdparty system.

Data access component 708 is operable for accessing data includingmetadata associated with one or more network monitoring entities (e.g.,network monitor devices 102 or 280-282), including properties that thenetwork monitoring entity is monitoring or collecting, software versions(e.g., of the profile library of the network monitoring entity), and theinternal configuration of the network monitoring entity. Data accesscomponent 708 may further access vertical or environment data and otheruser associated data, including vertical, environment, common type ofdevices for the network or network portions, segments, areas withclassification issues, etc., as described herein.

Check determination component 710 is operable to determine one or morechecks to be performed, as described herein. The checks may be based onclassification results (e.g., unknown classifications, multipleclassifications, low granularity classifications, etc.) and the checksmay be determined or configured to determine data available forclassification. For example, a check may check for whether SPAN trafficis available, or MAC addresses information is available or if DICOMtraffic is present on the network.

Check performing component 712 is operable to perform the one or morechecks, as described herein. The performing of the checks may includedetermining whether credentials are available for one or more networkdevices, whether there are devices using VPN, how one or more SPAN portsare configured, etc.

Display component 714 is configured to optionally display one or moregraphical user interfaces or other interfaces (e.g., command lineinterface) for depicting various information associated with entities ordevices, one or more checks to be performed, results of one or morechecks, one or more recommendations, various classification relatedstatistics, etc., as described herein.

Notification component 716 is operable to initiate one or morenotifications based on the results of monitoring communications orattributes of one or more entities (e.g., alerting of an unknownclassification, a low granularity classification, etc.), as describedherein. The one or more notifications could also include one or morerecommendations, as described herein. The notification may be any of avariety of notifications, e.g., IT ticket, email, SMS, a HTTPnotification, etc., as described herein.

Action component 718 is operable for initiating or triggering one ormore remediation actions or security actions according to one or morepolicies, e.g., based on a classification of an entity, as describedherein. Action component 718 may further be configured to perform otheroperations including checking compliance status, finding open ports,etc. Action component 718 may restrict network access, signal a patchsystem or service, signal an update system or service, etc., asdescribed herein. The action component 718 may thus, among other things,invoke automatically patching, automatically updating, and automaticallyrestrict network access of an entity (e.g., that has out-of-datesoftware or based on access rule violation or attempted violation),automatic change of an entity to another network portion (e.g., VLAN),as described herein.

The actions may include restricting network access to a particular level(e.g., full, limited, or no network access), remediation actions (e.g.,triggering patch systems or services, triggering update systems orservices, triggering third party product action, etc.), informationalactions (e.g., sending an email notification to a user or ITadministrator or creating an IT ticket reflecting the level ofcompliance), and logging actions (e.g., logging or storing thecompliance level).

Recommendation determination component 720 is operable to determine oneor more recommendations (e.g., based on the results of checks), asdescribed herein. The one or more recommendations may include changingthe configuration on a SPAN port or port mirroring port, changing theconfiguration on VPN associated entities, inputting credentials for oneor more network entities (e.g., network switches), etc., as describedherein.

Recommendation performing component 722 is operable to perform one ormore of the one or more recommendations (e.g., determined by therecommendation determination component 720), as described herein. Forexample, recommendation performing component 722 may use networkcredentials to change the configuration of a SPAN port to increase thedata available for classification or use network credentials to accessan ARP table of a network device.

Feedback component 724 is operable to determine feedback based on theperformance of the one or more recommendations, as described herein.Feedback component 724 may further be operable to provide the feedbackto a cloud-based resource or other repository to allow improvement ofclassifier 700.

The system 700 may be software stored on a non-transitory computerreadable medium having instructions encoded thereon that, when executedby a processing device, cause the processing device to access networktraffic from a network and select an entity. The instructions mayfurther cause the processing device to determine one or more valuesassociated with one or more properties associated with the entity, wherethe one or more values are accessed from the network traffic. Theinstructions may further cause the processing device to determine aclassification of the entity and in response to the classificationmeeting a condition, determine, by the processing device, one or moreproperties that are unavailable in the network traffic. The instructionsmay further cause the processing device to determine a data sourceassociated with the one or more properties for which a value is notpresent in the network traffic; and store the data source associatedwith the one or more properties that are unavailable in the networktraffic.

In some embodiments, the instructions may further cause the processingdevice to perform an action with respect to the data source associatedwith the one or more properties that are unavailable in the networktraffic. In various embodiments, the action with respect to the datasource associated with the one or more properties that are unavailablein the network traffic comprises at least one of changing aconfiguration of one or more network devices, changing a configurationSPAN or mirror port, adding network infrastructure login information, orgetting an updated profile library. In some embodiments, the one or moreproperties that are unavailable in the network traffic is associatedwith at least one of dynamic host control protocol traffic (DHCP),active scanning, hypertext transfer protocol (HTTP) traffic, a profilelibrary being out of date, media access control (MAC) address,unidirectional traffic, or an address resolution protocol (ARP) table.

In various embodiments, the condition comprises at least one of aclassification confidence value associated with the classification beingbelow a threshold, a plurality of classifications associated with theentity, or an unknown classification. In some embodiments, theinstructions may further cause the processing device to display anotification comprising a reference to the data source associated withthe one or more properties that are unavailable in the network traffic.In various embodiments, the notification comprises a message to performa manual classification.

FIG. 8 is a block diagram illustrating an example computer system, inaccordance with one implementation of the present disclosure. FIG. 8illustrates a diagrammatic representation of a machine in the exampleform of a computer system 800 within which a set of instructions, forcausing the machine to perform any one or more of the methodologiesdiscussed herein, may be executed. In alternative embodiments, themachine may be connected (e.g., networked) to other machines in a localarea network (LAN), an intranet, an extranet, or the Internet. Themachine may operate in the capacity of a server or a client machine in aclient-server network environment, or as a peer machine in apeer-to-peer (or distributed) network environment. The machine may be apersonal computer (PC), a tablet PC, a set-top box (STB), a PersonalDigital Assistant (PDA), a cellular telephone, a web appliance, aserver, a network router, a switch or bridge, a hub, an access point, anetwork access control device, or any machine capable of executing a setof instructions (sequential or otherwise) that specify actions to betaken by that machine. Further, while only a single machine isillustrated, the term “machine” shall also be taken to include anycollection of machines that individually or jointly execute a set (ormultiple sets) of instructions to perform any one or more of themethodologies discussed herein. In one embodiment, computer system 800may be representative of a server, such as network monitor device 102running classifier 700 to classification of one or more entities anddetermine one or more recommendations to improve classification, asdescribed herein.

The exemplary computer system 800 includes a processing device 802, amain memory 804 (e.g., read-only memory (ROM), flash memory, dynamicrandom access memory (DRAM), a static memory 806 (e.g., flash memory,static random access memory (SRAM), etc.), and a data storage device818, which communicate with each other via a bus 830. Any of the signalsprovided over various buses described herein may be time multiplexedwith other signals and provided over one or more common buses.Additionally, the interconnection between circuit components or blocksmay be shown as buses or as single signal lines. Each of the buses mayalternatively be one or more single signal lines and each of the singlesignal lines may alternatively be buses.

Processing device 802 represents one or more general-purpose processingdevices such as a microprocessor, central processing unit, or the like.More particularly, the processing device may be complex instruction setcomputing (CISC) microprocessor, reduced instruction set computer (RISC)microprocessor, very long instruction word (VLIW) microprocessor, orprocessor implementing other instruction sets, or processorsimplementing a combination of instruction sets. Processing device 802may also be one or more special-purpose processing devices such as anapplication specific integrated circuit (ASIC), a field programmablegate array (FPGA), a digital signal processor (DSP), network processor,or the like. The processing device 802 is configured to executeprocessing logic 826, which may be one example of classifier 700 shownin FIG. 7, for performing the operations and steps discussed herein.

The data storage device 818 may include a machine-readable storagemedium 828, on which is stored one or more set of instructions 822(e.g., software) embodying any one or more of the methodologies ofoperations described herein, including instructions to cause theprocessing device 802 to execute classifier 700. The instructions 822may also reside, completely or at least partially, within the mainmemory 804 or within the processing device 802 during execution thereofby the computer system 800; the main memory 804 and the processingdevice 802 also constituting machine-readable storage media. Theinstructions 822 may further be transmitted or received over a network820 via the network interface device 808.

The machine-readable storage medium 828 may also be used to storeinstructions to perform a method for classification (e.g., andclassification improvement), as described herein. While themachine-readable storage medium 828 is shown in an exemplary embodimentto be a single medium, the term “machine-readable storage medium” shouldbe taken to include a single medium or multiple media (e.g., acentralized or distributed database, or associated caches and servers)that store the one or more sets of instructions. A machine-readablemedium includes any mechanism for storing information in a form (e.g.,software, processing application) readable by a machine (e.g., acomputer). The machine-readable medium may include, but is not limitedto, magnetic storage medium (e.g., floppy diskette); optical storagemedium (e.g., CD-ROM); magneto-optical storage medium; read-only memory(ROM); random-access memory (RAM); erasable programmable memory (e.g.,EPROM and EEPROM); flash memory; or another type of medium suitable forstoring electronic instructions.

The preceding description sets forth numerous specific details such asexamples of specific systems, components, methods, and so forth, inorder to provide a good understanding of several embodiments of thepresent disclosure. It will be apparent to one skilled in the art,however, that at least some embodiments of the present disclosure may bepracticed without these specific details. In other instances, well-knowncomponents or methods are not described in detail or are presented insimple block diagram format in order to avoid unnecessarily obscuringthe present disclosure. Thus, the specific details set forth are merelyexemplary. Particular embodiments may vary from these exemplary detailsand still be contemplated to be within the scope of the presentdisclosure.

Reference throughout this specification to “one embodiment” or “anembodiment” means that a particular feature, structure, orcharacteristic described in connection with the embodiments is includedin at least one embodiment. Thus, the appearances of the phrase “in oneembodiment” or “in an embodiment” in various places throughout thisspecification are not necessarily all referring to the same embodiment.In addition, the term “or” is intended to mean an inclusive “or” ratherthan an exclusive “or.”

Additionally, some embodiments may be practiced in distributed computingenvironments where the machine-readable medium is stored on and orexecuted by more than one computer system. In addition, the informationtransferred between computer systems may either be pulled or pushedacross the communication medium connecting the computer systems.

Embodiments of the claimed subject matter include, but are not limitedto, various operations described herein. These operations may beperformed by hardware components, software, firmware, or a combinationthereof.

Although the operations of the methods herein are shown and described ina particular order, the order of the operations of each method may bealtered so that certain operations may be performed in an inverse orderor so that certain operation may be performed, at least in part,concurrently with other operations. In another embodiment, instructionsor sub-operations of distinct operations may be in an intermittent oralternating manner.

The above description of illustrated implementations of the invention,including what is described in the Abstract, is not intended to beexhaustive or to limit the invention to the precise forms disclosed.While specific implementations of, and examples for, the invention aredescribed herein for illustrative purposes, various equivalentmodifications are possible within the scope of the invention, as thoseskilled in the relevant art will recognize. The words “example” or“exemplary” are used herein to mean serving as an example, instance, orillustration. Any aspect or design described herein as “example” or“exemplary” is not necessarily to be construed as preferred oradvantageous over other aspects or designs. Rather, use of the words“example” or “exemplary” is intended to present concepts in a concretefashion. As used in this application, the term “or” is intended to meanan inclusive “or” rather than an exclusive “or”. That is, unlessspecified otherwise, or clear from context, “X includes A or B” isintended to mean any of the natural inclusive permutations. That is, ifX includes A; X includes B; or X includes both A and B, then “X includesA or B” is satisfied under any of the foregoing instances. In addition,the articles “a” and “an” as used in this application and the appendedclaims should generally be construed to mean “one or more” unlessspecified otherwise or clear from context to be directed to a singularform. Moreover, use of the term “an embodiment” or “one embodiment” or“an implementation” or “one implementation” throughout is not intendedto mean the same embodiment or implementation unless described as such.Furthermore, the terms “first,” “second,” “third,” “fourth,” etc. asused herein are meant as labels to distinguish among different elementsand may not necessarily have an ordinal meaning according to theirnumerical designation.

1. A method comprising: accessing network traffic from a network;selecting an entity; determining one or more values associated with oneor more properties associated with the entity, wherein the one or morevalues are accessed from the network traffic; determining aclassification of the entity; in response to the classification meetinga condition, determining, by a processing device, one or more propertiesthat are unavailable in the network traffic; determining a data sourceassociated with the one or more properties for which a value is notpresent in the network traffic; storing an identification of the datasource associated with the one or more properties that are unavailablein the network traffic; and performing a remediation action with respectto the data source associated with the one or more properties that areunavailable in the network traffic.
 2. (canceled)
 3. The method of claim1, wherein the action with respect to the data source associated withthe one or more properties that are unavailable in the network trafficcomprises at least one of changing a configuration of one or morenetwork devices, changing a configuration switched port analyzer (SPAN)or mirror port, adding network infrastructure login information, orgetting an updated profile library.
 4. The method of claim 1, whereinthe one or more properties that are unavailable in the network trafficis associated with at least one of dynamic host control protocol traffic(DHCP), active scanning, hypertext transfer protocol (HTTP) traffic, aprofile library being out of date, media access control (MAC) address,unidirectional traffic, or an address resolution protocol (ARP) table.5. The method of claim 1, wherein the condition comprises at least oneof a classification confidence value associated with the classificationbeing below a threshold, a plurality of classifications associated withthe entity, or an unknown classification of the entity.
 6. The method ofclaim 1 further comprising: displaying a notification comprising areference to the data source associated with the one or more propertiesthat are unavailable in the network traffic.
 7. The method of claim 6,wherein the notification comprises a message to perform a manualclassification of the entity.
 8. The method of claim 1 furthercomprising: accessing information associated with the entity from asystem; determining, by the processing device, one or more propertiesthat are unavailable in the information from the system.
 9. A systemcomprising: a memory; and a processing device, operatively coupled tothe memory, to: access network traffic from a network; select an entity;determine one or more values associated with one or more propertiesassociated with the entity, wherein the one or more values are accessedfrom the network traffic; determine a classification of the entity; inresponse to the classification meeting a condition, determine one ormore properties that are unavailable in the network traffic; determine adata source associated with the one or more properties for which a valueis not present in the network traffic; and store an identification ofthe data source associated with the one or more properties that areunavailable in the network traffic; and perform a remediation actionwith respect to the data source associated with the one or moreproperties that are unavailable in the network traffic.
 10. (canceled)11. The system of claim 9, wherein the action respect to the data sourceassociated with the one or more properties that are unavailable in thenetwork traffic comprises at least one of changing a configuration ofone or more network devices, changing a configuration switched portanalyzer (SPAN) or mirror port, adding network infrastructure logininformation, getting an updated profile library.
 12. The system of claim9, wherein the one or more properties that are unavailable in thenetwork traffic is associated with at least one of dynamic host controlprotocol traffic (DHCP), active scanning, hypertext transfer protocol(HTTP) traffic, a profile library being out of date, media accesscontrol (MAC) address, unidirectional traffic, or an address resolutionprotocol (ARP) table.
 13. The system of claim 9, wherein the conditioncomprises at least one of a classification confidence value associatedwith the classification being below a threshold, a plurality ofclassifications associated with the entity, or an unknown classificationof the entity.
 14. The system of claim 9, the processing device furtherto: display a notification comprising a reference to the data sourceassociated with the one or more properties that are unavailable in thenetwork traffic.
 15. The system of claim 14, wherein the notificationcomprises a message to perform a manual classification of the entity.16. A non-transitory computer readable medium having instructionsencoded thereon that, when executed by a processing device, cause theprocessing device to: access network traffic from a network; select anentity; determine one or more values associated with one or moreproperties associated with the entity, wherein the one or more valuesare accessed from the network traffic; determine a classification of theentity; in response to the classification meeting a condition,determine, by the processing device, one or more properties that areunavailable in the network traffic; determine a data source associatedwith the one or more properties for which a value is not present in thenetwork traffic; store an identification of the data source associatedwith the one or more properties that are unavailable in the networktraffic; and perform a remediation action with respect to the datasource associated with the one or more properties that are unavailablein the network traffic.
 17. (canceled)
 18. The non-transitory computerreadable medium of claim 16, wherein the action with respect to the datasource associated with the one or more properties that are unavailablein the network traffic comprises at least one of changing aconfiguration of one or more network devices, changing a configurationswitched port analyzer (SPAN) or mirror port, adding networkinfrastructure login information, or getting an updated profile library.19. The non-transitory computer readable medium of claim 16, wherein theone or more properties that are unavailable in the network traffic isassociated with at least one of dynamic host control protocol traffic(DHCP), active scanning, hypertext transfer protocol (HTTP) traffic, aprofile library being out of date, media access control (MAC) address,unidirectional traffic, or an address resolution protocol (ARP) table.20. The non-transitory computer readable medium of claim 16, wherein thecondition comprises at least one of a classification confidence valueassociated with the classification being below a threshold, a pluralityof classifications associated with the entity, or an unknownclassification of the entity.
 21. The non-transitory computer readablemedium of claim 16, wherein the instructions, when executed by theprocessing device, further cause the processing device to: display anotification comprising a reference to the data source associated withthe one or more properties that are unavailable in the network traffic,wherein the notification comprises a message to perform a manualclassification of the entity.